From 8876b4ba016fb07eaedc7bf67f3666291fe0efb1 Mon Sep 17 00:00:00 2001
From: fornotes <125354166+fornotes@users.noreply.github.com>
Date: Wed, 15 Feb 2023 11:37:18 +0000
Subject: [PATCH] added SprintCSP.dll for StorSvc DLL Hijack

---
 .../file/file_event/file_event_win_create_non_existent_dlls.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml
index ebf54c4c2..76944cc3c 100644
--- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml
+++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml
@@ -11,6 +11,7 @@ references:
     - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
     - https://github.com/Wh04m1001/SysmonEoP
     - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
+    - https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/12/01
 modified: 2022/12/09
@@ -30,6 +31,7 @@ detection:
             - 'C:\Windows\System32\TSMSISrv.dll'
             - 'C:\Windows\System32\TSVIPSrv.dll'
             - 'C:\Windows\System32\wow64log.dll'
+        TargetFileName|endswith: '\SprintCSP.dll'
     filter:
         Image|startswith: 'C:\Windows\System32\'
     condition: selection and not filter